Ensure that we are duly registered as controllers and/or processors with the Data Protection Commissioner.
Ensure that personal data is:
processed lawfully, fairly and in a transparent manner;
collected for explicit, specified and legitimate purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
accurate and, where necessary, kept up to date;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; and
processed in accordance with the rights of data subjects.
Inform data subjects of all relevant matters relating to the collection of their personal data, including the purpose for which the data is being collected and the period for which the data will be stored.
Adopt policies and implement appropriate technical and organisational measures so as to ensure that the processing of personal data is performed in accordance with applicable data protection legislation.
Maintain a record of all processing operations under our responsibility.
On the written request of a data subject, provide confirmation to him/her as to whether or not personal data relating to him/her is being processed and forward to him/her a copy of the data.
On being informed of the inaccuracy of personal data by a data subject to whom such data pertains, cause the data to be rectified without undue delay.
Destroy, as soon as reasonably practicable, personal data where the purpose for which the data was collected has lapsed.
Notify the Data Protection Commissioner and the relevant data subjects, where applicable, of any personal data breach in a timely manner.
Where processing operations are likely to result in a high risk to the rights and freedoms of data subjects, carry out, prior to the processing, an assessment of the impact of the envisaged processing operations on the protection of personal data.
Shall endeavour not to:
Collect personal data unless: (a) it is done for a lawful purpose connected with one of our functions or activities; and (b) the collection of the data is necessary for that purpose.
Process personal data unless:
the data subject consents to the processing; or
the processing is necessary:
for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
for compliance with any legal obligation to which we are subject;
for the legitimate interests pursued by us, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests of the data subject; or
for such other purpose as may be authorised by law.
Process the personal data of a data subject who has objected in writing to such processing unless we demonstrate compelling legitimate grounds for the processing which override the data subject’s interests, rights and freedoms or for the establishment, exercise or defence of a legal claim.
Process the personal data of a child below the age of 16 years unless consent is given by the child’s parent or guardian.
Transfer personal data to another country:
unless we have provided to the Data Protection Commissioner proof of appropriate safeguards with respect to the protection of the personal data;
unless the data subject has given explicit consent to the proposed transfer;
the transfer is necessary for the performance of a contract between us and the data subject or the implementation of pre-contractual measures taken at the data subject’s request; or
in such other circumstances as may be allowed by law.
Without lawful excuse, disclose personal data in any manner that is incompatible with the purpose for which such data has been collected.